Forgot your password?
typodupeerror
Security Australia Education Idle Technology

Aussie Kids Foil Finger Scanner With Gummi Bears 303

Posted by samzenpus
from the gummi-security dept.
mask.of.sanity writes "An Australian high school has installed 'secure' fingerprint scanners for roll call for senior students, which savvy kids may be able to circumvent with sweets from their lunch box. The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance. The school principal says the system is better than swipe cards because it stops truant kids getting their mates to sign-in for them. But using the Gummi Bear attack, students can make replicas of their own fingerprints from gelatin, the ingredient in Gummi Bears, to forge a replica finger. The attack worked against a bunch of scanners that detect electrical charges within the human body, since gelatin has virtually the same capacitance as a finger's skin."

*

This discussion has been archived. No new comments can be posted.

Aussie Kids Foil Finger Scanner With Gummi Bears

Comments Filter:
  • Next up... (Score:5, Insightful)

    by Moryath (553296) on Thursday October 28, 2010 @02:16AM (#34046512)
    I can just see it now. Next they come up with one to detect "body heat" in the finger.

    And the kids circumvent it by keeping the gummy bears in their pockets on the way to class.

    Once again, a "foolproof" system proves to be only as useful as the fool who invented it.

    • Re:Next up... (Score:5, Insightful)

      by interkin3tic (1469267) on Thursday October 28, 2010 @02:49AM (#34046658)

      I can just see it now. Next they come up with one to detect "body heat" in the finger.

      Or they just try to ban gummi bears. If they're coming up with a stupid fingerprint scanner, these are obviously the typical school administrators, cut from the same cloth as those who gave their students laptops and didn't tell them they'd be watching them through the webcam at all times, adding to the contraband list is probably going to be their first reaction. Maybe if the ban fails miserably, they'll just tattoo barcodes onto their foreheads.

      I suspect the public would not be so willing to accept encroaching police states and governments slowly taking away our rights if schools had to actually justify shit like this to the students.

      • by drinkypoo (153816)

        I suspect the public would not be so willing to accept encroaching police states and governments slowly taking away our rights if schools had to actually justify shit like this to the students.

        I suspect the public would not be so willing to accept encroaching police states and governments slowly taking away our rights if they weren't trained to accept whatever is done to them as students. School is terrible life training, unless you want to be a corporate wage slave who does as you are told and accepts any amount of abuse because you do not have self-esteem or a sense of control over your own life.

        As adults we can at least ask the law to protect us. As children we are placed in a situation of phy

    • Re:Next up... (Score:5, Insightful)

      by choongiri (840652) on Thursday October 28, 2010 @02:57AM (#34046682) Homepage Journal
      Whether it's technically possible to defeat the system isn't the issue. If you're trying to force kids' presence with technological measures rather than encourage leaning and enthusiasm socially, you're doing something wrong. Especially since this is talking about older kids. Try giving them something fun to do, instead of demanding they bio-retina-dna scan in after recess.
    • by martas (1439879)
      actually, i remember a russian news story from many years back (5-6) about some dudes that designed a fingerprint scanner that detected blood flow in the finger, thus supposedly making sure that what's being scanned is actually a finger. as i recall, it was basically this thing you stuck your finger into, with some kind or radiation from above (IR, probably, though not sure), and sensors underneath, that detected heartbeat.
      • by tehdaemon (753808)
        There is an Android app that uses the phone's camera to measure heartbeat. You put your fingertip up to the camera lens. It works fairly well.

        T

      • Re:Next up... (Score:4, Informative)

        by Joce640k (829181) on Thursday October 28, 2010 @04:46AM (#34047064) Homepage

        So... you do what Mythbusters did and make a thin gel fingerprint and stick it to your real finger. You'll have temperature, heartbeat, everything.

        It's an unsupervised machine and input sensors can *always* be fooled. Period.

        • Re: (Score:3, Insightful)

          by Rogerborg (306625)

          Actually, what the Mythbusters found was that their high end fingerprint lock, which claimed to check for pulse, heat and capacitance, could be fooled with nothing more than a (moistened) photocopy of a finger.

          Laptop scanners fared better, but the door ones seem to be security theatre.

      • by delinear (991444)
        If the gummi bear is stuck on the end of the finger, it sounds like this would still be sufficient to fool the scanner.
    • by Catmeat (20653)
      Once again, a "foolproof" system proves to be only as useful as the fool who invented it.

      There is a fool here, but not the inventor - from his or her PoV the system did exactly what it was supposed to do, it got sold. Though whether more will be sold after this story is another matter.

      The security business isn't about providing solutions that work. It's about providing solutions that appear to work in promotional DVDs and glossy brochures, making it possible to persuade people in authority to write cheq

      • by cynyr (703126)

        The machine assumes someone will be paying attention and watching for those using gummybears...

    • This already works by using a thin layer of gelatin on your fingers, and has been well documented for years.

      http://www.schneier.com/crypto-gram-0205.html [schneier.com]

  • My faith in this generation has been restored!

    Now get off of my lawn.

  • by lorelorn (869271) on Thursday October 28, 2010 @02:23AM (#34046536)
    Fuck, YES. I read the original story, about the school introducing this moronic system, and could only shake my head. Attempts at total control are generally the solution proffered by lazy bureaucrats as an alternative to them doing their jobs. Here’s an idea - instead of working out ways of forcing the kids into school and keeping them there - why not work to make it compelling for them to come to school in the first place. I know, hard, right? Idiots. However, the creative (dare I say scientific) solution employed, and so quickly makes me remotely proud of our clever children. It’s nice to see the kids are far more intelligent and creative than their so-called teachers. I will have somewhat less pride when they remotely drain my bank account and I am forced to live on cast off gummi bears, but hey.
    • I agree that its a stupid and lazy approach. But there is only so much you can do to "make it compelling" until reality sets in that discipline is necessary for children.

      The oldest approach is still the best - have teachers (and not machines) who **recognize** kids conduct roll calls.

      • Re: (Score:3, Insightful)

        by The Hatchet (1766306)

        Kids in some areas of the world willfully walk miles to school every day. Why? because they are learning. In America, our schools force our students to memorize arbitrary facts in arbitrary order with no regard to context or meaning. This is problematic because the brain is typically terrible at memorizing out of context, out of order, arbitrary information, we have a very small capacity for it. On the other hand, it is possible to cover several weeks of math in a single day, and the students will enjoy

        • by cappp (1822388) on Thursday October 28, 2010 @04:29AM (#34047002)
          What? Kids willingly walk miles to school every day because it's drilled into their heads that the only way off the farm, out of the slums, or whatever their particular disadvantage happens to be, is through education. There's no magical inspirational African/South American/Chinese teaching model that somehow drives these kids out of their beds before dawn and across miles with hungry bellies and an urge to learn. Hell, most of those kids are walking miles to school every day to learn arbitrary information, out of order, and by rote. Teaching kids to be critical learners, to engage with knowledge? That's a privilege that's only found in the rich western educational model, certainly not in the shanty towns.

          That being said, I understand your broader point and agree somewhat. Education has to be relevant, it should be interesting, and it shouldn't be one-size-fits-all. However, if we're honest we have to admit that that kind of system is expensive, demands teaching excellence, is hard to assess, and complicated to run. The US has over 60 million students in primary and secondary schools - that's an enormous population. There are a lot of problems with education in the west - most of them related to broader social issues like violence, poverty, ignorance et al - but it’s not nearly as bad as some of us seem to feel. There is a logic to a lot of the problems you’re complaining about and while matters could possibly be dealt with in better ways it’s going too far to claim the system itself is bullshit hell.
          • Re: (Score:3, Interesting)

            From my Eastern EU perspective attendance (and performance) is easy to fix.

            Make schools free, but mandatory. Make it mandatory for the student to finish school. If a student does not pass the test for at least 50% level in ALL classes, then he automatically stays in that class for the second year. Key tests are centralized and secret - every pupils of every school take the same test at the same time and all results are graded by teachers in other randomly chosen schools (to prevent cheating and grade boosti

            • I don't think your idea is such a bad one. I don't think it would every get implemented in the US. The main reason is how much it would cost. The next reason is that very few people actually care that much about education. Not only would the religious types howl, but many "average" people in the states are deeply suspicious of learning, especially when it is controlled by the state.
              • by Bengie (1121981)

                I don't know where you are in the US, but over in the midwest here, parents can get fined if their kids don't show up to school. The only way around this is to have proof of homeschooling.

            • by Stooshie (993666)
              Wow, I just love your realistic outlook on life!
            • Is that the Eastern EU perspective, or the Eastern EU perspective from 25 years ago? Because that all sounds a bit excessive -- removing kids from their families, taking away the right to vote because you flunked school. Centralized tests have their own problems, and are most useful for corporations who want to have an easy way to categorize people. Your 50% level for passing a grade is arbitrary, and most educators seem to think that -- at least in the first years -- pupils should not be able to fail a gra

    • When I was at school we had to sit in a room and the teacher would read out a list of names and you had to say "here!".

  • by n1hilist (997601) on Thursday October 28, 2010 @02:33AM (#34046580)

    Duke Igthorn is NOT going to be happy when he hears about this!

  • Misleading Title (Score:5, Informative)

    by scdeimos (632778) on Thursday October 28, 2010 @02:33AM (#34046582)
    Nobody has actually foiled the high school fingerprint scanners yet, it's still only in the realm of (likely) possibility - especially after the kids see this story on /.
  • Biometric, swipe cards or any other method they use will have loopholes when left alone. All it needs is a single teacher to watch everyone put their fingers there. But if I were in school I'd hate that too (*mutters* "fucking attendance nazis").

    In my old 2nd language class in school, we would all file in, sit down and the teacher would go through the list & call out the students she thinks is absent. But it was all on paper and there was no tallying done until the end of the term.

    But I must applau

    • by EdIII (1114411) on Thursday October 28, 2010 @03:31AM (#34046804)

      Quite a long time ago the school district I was in kept attendance records on a computer. The password was kept on a piece of paper in the secretary desk, but that didn't matter. They had a 2400 baud modem connected to a hard line that allowed access for all sorts of records to be shared. I guess they figured the security was knowing that magic 7 digit number written on the modem, and not believing for a second that any child could possibly get the idea to call it, let alone with their own modem, and never one that understood computers better than they did.

      One of my first entrepreneurial ventures was attendance management services to other kids. In this system once you hit a certain level of tardiness, or missed classes, it triggered a physical letter to be sent to the parents. I could make sure that didn't happen. Was fairly profitable and this was back when "computers never lied" and hacking was not well understood by anybody, least of all school administrators.

      I had to stop when it became obvious in some parent teacher conferences that some students had clearly been ditching a lot of classes according to the teachers, but the records on the computers no longer matched the written records of the teachers. Good thing I used the computer lab and my own modem otherwise the phone records would have busted me... if the investigation even got that far. Since the "corrupt" records matched the district offices, it was assumed the computer itself was faulty somehow. They just ended up replacing it... but leaving the modem.

      I guess my point is overall, that if schools are really serious about taking attendance, maybe they should concentrate less on the technology and more about giving a shit "hands on". Teachers should have the phone numbers and email addresses of their students parents, and I don't know, use them. I would have never gotten away with what I did had their been even a small amount of caring amongst the staff. At this point in my life it disapoints and saddens me that a teacher would not directly call the parents once a student missed 3 classes in a week. Waiting for an automated system to send a letter out after 7 missed classes just allows a problem to fester for around a month before anybody starts to address it.

      Of course I can't blame a lot of the teachers. When you are chronically underpaid and have to do ridiculous shameful shit like purchasing resources out of your own pockets for your students, I can understand how some become burned out and disillusioned.

      Kids pick up on that too. If they feel they are in a situation where people don't care and it's a mechanical mind numbing system they are forced to deal with, they will react, and most often negatively.

      I guess what pisses me off more about this story is they could have used the money in that budget to raise the teachers salary and just had the teachers write down attendance in a book and have the empowerment to directly call the fucking parents.

    • Biometric, swipe cards or any other method they use will have loopholes when left alone. All it needs is a single teacher to watch everyone put their fingers there.

      But isn't the whole point of this so that you don't need to employ someone to check attendence? If you have to employ someone to stand there, why no just get that same person to call out names and record on a register?

      • by cynyr (703126)

        unmonitored physical access to the device means it is compromised. Hell it could be as simple as using the USB "setup" port to make it say what ever you want. Heck, program it to just use a list, first finger checks in first person on the list, and so on, stick people you like at the top, and people you don't near the bottom.

  • Let's see... (Score:5, Insightful)

    by kurokame (1764228) on Thursday October 28, 2010 @02:36AM (#34046590)

    * You have to buy a new system and probably sign a support contract for it
    * It ties up personnel with deployment
    * It doesn't work any better than the old system
    * It raises significant privacy issues not present in the old system
    * It raises huge data security and disposal issues not present in the old system
    * Adding a new student is more invasive and time consuming than in the old system
    * Fingerprint biometrics can track an arbitrarily large set of individuals...but they can only distinguish a few hundred

    Yep, that sounds like a textbook example of educational bureaucracy.

  • by PatPending (953482) on Thursday October 28, 2010 @02:37AM (#34046598)

    Quoting from the end of the fine article (emphasis added by me).

    Tsutomu Matsumoto, a Japanese cryptographer, uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.

    His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.

    Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.

    • by Warhawke (1312723)
      Isn't this exactly what Mythbusters did on their cryptography episode?
    • Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor.

      This technique also has the added benefit that the gelantine will have the correct temperature, so fingerprint sensors that measure temperature will also be foiled. If the gelantine is thin enough, it might even foil pulse detectors, so you'll pass the most common "life detectors".

    • by dbIII (701233)

      cyanoacrylate adhesive

      In the early 1990s I was using that to examine pipework in power stations for early signs of high temperature damage. I would grind, polish and etch the pipe then stick cyanoacrylate on the surface. I would peel it off and examine it under a microscope at up to 800x or after gold coating an electron microscope at even higher magnifications.
      There is no fingerprint scanner on earth that would be able to tell the difference on resolution alone.

      • by mbstone (457308)

        But if the surface of the fingerprint scanner was covered in cyanoacrylate, good luck getting your fingerprint back....

        • by dbIII (701233)
          I should have mentioned the step where a solvent is used to stick it onto the surface to avoid strange and misleading karma point seeking replies like the above. The solvent dries in a few seconds making the above situation unlikely to ever occur. Amusing failed attempt at trying to look as if you know what you are writing about however, but why bother, your karma score would have maxed out years ago.
    • They invented all that, not some Japanese guy.

      (If the show isn't a trick...)

  • by PatPending (953482) on Thursday October 28, 2010 @02:46AM (#34046636)

    Until Discovery Communications has it taken down--

    http://www.youtube.com/watch?v=LA4Xx5Noxyo

  • ..they shouldn't be getting money to pay for teachers.

    swipe cards would be enough if the teacher actually paid attention when the kids are swiping the cards.

    is it a movie theater or a school?

  • Over-hyped as usual (Score:3, Interesting)

    by PerformanceDude (1798324) on Thursday October 28, 2010 @02:56AM (#34046678)
    So, the school introduces this and the headline is: Students may be able to circumvent it using gummy bears. Boo hoo!! As if any other measure may not be circumvented. A simple supervision or CCTV of the scanner would detect any circumvention attempt.

    I'll be more impressed when they have an article that says: Kids circumvented fingerprint scanners at school using gummy bears.

    Kids should be in school. Period. Our present breed are just as crafty as we used to be back in the day in trying to avoid the system. That is how you create innovative kids in the first place. Those kids who defeats this totalitarian system and gets away with it - well - they deserve the day off :)

    • by vadim_t (324782)

      So, the school introduces this and the headline is: Students may be able to circumvent it using gummy bears. Boo hoo!! As if any other measure may not be circumvented. A simple supervision or CCTV of the scanner would detect any circumvention attempt.

      First, to do this you don't need to do something highly obvious like pulling a gummi bear out of your pocket and mashing it against the sensor. You can make a thin strip, and stick it to your finger, then go through all the usual motions.

      Second, sure, with enou

  • Called me old fashioned, but whatever happened to teachers actually knowing their kids and simply taking attendance that way?
    • by SeaFox (739806)

      Enlarging class sizes in the face of budget shortfalls means it becomes more difficult for teachers to actually learn and keep track of that many students and roll call becomes impractical due to time constraints, not to mention knowing your class enough you can tell if the person you called on is the same one answering as present.

  • I faintly remember back in high school, when we had substitute teachers sometime. One was particularity dim, so most folks cut that class. I was in it, and the substitute teacher passed around a paper for all the students to sign in. There were three of us in the class, and about three hundred names were on the list that we passed back: "Who's Dick Hertz?", etc.

    Students will always find a way to get around stuff like this . . . .

  • by thegarbz (1787294) on Thursday October 28, 2010 @03:40AM (#34046842)
    "Chris?"
    "Here Miss"
    "Peter?"
    "Present Miss"
    "Well it looks like everyone who's going to be here is here already, let's get started!" She thought knowing full well that a few of the students skipping the class will be reported to the principle yet again.

    Fingerprints? Really? Whatever is wrong, it's not the fault of the system that has served us for hundreds of years, and doesn't need some stupid technology to fix it.
    • by wrook (134116) on Thursday October 28, 2010 @06:06AM (#34047356) Homepage

      Actually, it's even easier than this. At the school I work for the teachers know what the students look like and what their names are. If one of the seats in the classroom is empty, usually it means a student is missing. If another student tries to impersonate someone you can tell by looking at them. So far this system is working pretty well. I'm pretty sure it's cheaper than a fingerprint scanner too.

  • Several teachers that I had relied on the class staying pretty constant, and gave each student a number in alphabetical order. To "Call roll", you would listen for the number before yours, and after that was said by the student in question, you would say yours. Any absences were immediately obvious, and it took no more than a minute to finish it.
  • Kids Are Alright (Score:4, Insightful)

    by mbstone (457308) on Thursday October 28, 2010 @04:59AM (#34047112)

    While school kids may yet learn to scam extra lunches and play hooky through the use of gummi candy biometrics, the headline is bogus. None of the linked articles reported that any kids anywhere are doing anything with gummi bears except fucking up their teeth.

  • Kids' ingenuity is always at its best when fighting the man. Maybe they'll be smart and Orwellian. You know, like the Chinese.
  • Pure gelatine may (or may not) have the exact same capacitence... But what about the sugar, flavourings etc?

    Then there's the fact that if you pressed your finger into a gummi bear, it's not going to create a lasting or deep impression. Perhaps if you really squashed the gummi bear it would create a detailed, lasting impression but then you're going to be left with a fragile, thin piece sheet of gelatine that would fall apart if you pressed it on the scanner.

    Yes you could create a mould of the finger a
  • If the machine can track you the next thing is it wants to control you. Who doesn't feel like giving Big Brother the slip? Big Brother is the guilty conscience come into reality, ready to find fault and curtail life's evil little pleasures.

    The best way to fool Big Brother is to let it think it knows the truth, to invent reality.

  • My old school had a sign-in system based on face-recognition. Nobody ever found a way to circumvent it. This was 25 years ago, but I believe others were using a similar system even earlier.
  • by pinkushun (1467193) on Thursday October 28, 2010 @07:46AM (#34047684) Journal

    ... or this tasty!

  • Mythbusters already covered this.Just take a photocopy and it will work.

    When I went to school, we had a class book where teachers would note who was not in. When I was responsible for the classbook, about half of the class once skipped a few lessons. When I was ordered to the principal he asked me if I was absent during those classes. I gave him the book and said stone cold: "My name is not written down in the book, so that must mean I was there."

    He went for the logic, not thinking that the book and I where

  • Fingerprint scanners for ROLL CALL? Really?

    I'm all for technological advances, but just how lazy do you really need to be? Is it too much to ask the teachers to take roll call like they have been for hundreds of years, and LOOK at the students to make sure they are who they say they are?

    Somehow I'm getting less and less surprised that Australia has passed the US as the most obese nation in the world...

  • Perfect Solution (Score:3, Insightful)

    by lee1 (219161) <lee.lee-phillips@org> on Thursday October 28, 2010 @09:44AM (#34048872) Homepage
    If students don't want to attend school then there is something wrong with the school. Fix the school so that the students want to go there; then you don't need a fancy biometric scanner.
  • Alexander's solution (Score:3, Interesting)

    by rlseaman (1420667) on Thursday October 28, 2010 @01:18PM (#34052528)
    Alexander the Great solved the same problem with the Gordian Knot in the 4th century BCE. Smash the scanner. The modern improvement would be to disable it less flamboyantly and enjoy the theatrical performances of the assistant principle and custodial supervisor standing around scratching their heads.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...